Flatboard 5.5.1 "AEGIS" — Release

🚀 Flatboard 5.5.1 "AEGIS" — What's new since 5.4.1

This release series brings security hardening, major performance gains, a revamped search experience, and a handful of useful new features.

🔴 Security

• CSRF protection added to search, all Private Messaging write endpoints, FlatHome admin endpoints, and all plugin write actions (Reputation, TranslationManager)
• Open redirect via HTTP_REFERER patched
• Header injection in file downloads neutralized
• MX DNS validation at registration to block fake email addresses
• SSRF protection added to Logger webhook delivery
• Unsafe unserialize() replaced in ForumImporter (vBulletin)

⚡ Performance

• PermissionHelper results cached per request — eliminates ~12 redundant I/O reads per page load (e.g. for Private Messaging permission checks)
• Presence system rewritten with one file per user — no more write contention on the shared presence file under load
• FlatHome getAllPages() cached for the duration of each request
• Forum Monitoring — fatal memory exhaustion fixed, all 6 stat calls cached (5-min TTL), redundant file reads eliminated
• FlatModerationExtend storage reads cached within each request

✨ New features

• Customizable homepage — admins can choose between latest discussions or the categories grid. /forums and /discussions always point to their respective views regardless of this setting.
• Plugin & theme compatibility system — incompatible plugins are auto-disabled at boot, flagged with a red badge, and admins receive a one-shot notification. Themes display a warning but are not auto-deactivated.
• Purge unverified accounts — via the admin Maintenance panel or php console.php cleanup:unverified-users [days]
• Admin users: filter by group — new dropdown in the users list filter bar
• Profile: unsubscribe button in the subscriptions tab
• Presence: page visit history per user (configurable size)
• Forum Monitoring (Pro) — active user cards now show recently visited pages
• Premium theme — full stats block (discussions, replies, members, online users) now visible in all sidebar views

🔎 Search overhaul

• Autocomplete now actually returns results
• Result count no longer capped at 20
• "Load more" works on the search results page
• Excerpts no longer show raw markdown or bleed inline formatting
• Search result cards are fully clickable
• Performance: sort → slice → format (was: format all matches, then sort)

🛠️ Other notable fixes

• System emails (verification, password reset, email change) now sent in the site language instead of always French
• EasyMDE draft auto-save no longer stores empty content
• Plugin updates — object arrays in plugin.json no longer duplicated on each update
• Private Messaging typing indicator now works correctly
• Unverified accounts no longer appear in member lists, stats, or latest member counts
• Login redirect in subdirectory installs — post-login redirect now correctly lands on the subfolder root instead of the domain root
• remember_token cookie scope corrected for subdirectory installs

📋 Full changelog

The complete changelog with all technical details is available in full changelog thread.

Thank you to everyone who reported bugs and contributed to this release. 🙏